Does Mozilla check Firefox themes for malicious code before they are published like it does with other add-ons?
I understand that Mozilla checks Firefox add-ons for malicious code and only accepts and signs them if they are clean and safe, however, there is no mention anywhere if they do the same with themes even though they are considered a type of add-on. So does Mozilla check themes for malicious code before they are uploaded, because even if they are just images they can still contain malicious code?
If Mozilla does so it would be nice if it could state so somewhere on its website and also have to sign themes. If Mozilla does not do so, it would be advised that it should.
Chosen solution
I don't know if there is a review process for "lightweight themes" of the kind there are for extensions and full themes. If you don't find a clear answer to that, you could follow up with the Add-ons team on their forum here: https://discourse.mozilla-community.org/c/add-ons
A lightweight theme consists of two images (typically PNG or JPEG), one for the top part of the browser and one for the bottom. More info: https://developer.mozilla.org/Add-ons/Themes/Lightweight_themes
The kinds of images that pose a security risk generally exploit a flaw in a program's handling of the image file. This kind of flaw usually needs to be fixed through a patch to Firefox (or other affected program), and I would be surprised if it first came to light in a theme rather than, say, an image shared on social media or a targeted attack. But it could happen.
It may be difficult to test whether an image exploits an image parsing flaw without a specialized malware research environment because the effects may not be obvious to an overworked code reviewer. Did you have any ideas/suggestions on how it should done?
Read this answer in context 👍 1All Replies (3)
Chosen Solution
I don't know if there is a review process for "lightweight themes" of the kind there are for extensions and full themes. If you don't find a clear answer to that, you could follow up with the Add-ons team on their forum here: https://discourse.mozilla-community.org/c/add-ons
A lightweight theme consists of two images (typically PNG or JPEG), one for the top part of the browser and one for the bottom. More info: https://developer.mozilla.org/Add-ons/Themes/Lightweight_themes
The kinds of images that pose a security risk generally exploit a flaw in a program's handling of the image file. This kind of flaw usually needs to be fixed through a patch to Firefox (or other affected program), and I would be surprised if it first came to light in a theme rather than, say, an image shared on social media or a targeted attack. But it could happen.
It may be difficult to test whether an image exploits an image parsing flaw without a specialized malware research environment because the effects may not be obvious to an overworked code reviewer. Did you have any ideas/suggestions on how it should done?
https://wiki.mozilla.org/Addons/Extension_Signing Only extensions as Themes (both background images and complete (actual themes)), dictionaries, language packs, and Plugins don't need to be signed.
I know they do approve the background images based on subject matter. There was some recent controversy when a private email to not approve Gamergate and provocative anime stuff was leaked.
Modified
James said
https://wiki.mozilla.org/Addons/Extension_Signing Only extensions as Themes (both background images and complete (actual themes)), dictionaries, language packs, and Plugins don't need to be signed.
All of those, even if not signed, are reviewed and virus-scanned if they are served from addons.mozilla.org.
In the near future (Firefox 41?) language packs will need to be signed as well.